11 million "unbreakable" Ashley Madison passwords broken

A group of enthusiast hackers managed to decipher millions of leaked Ashley Madison passwords, thought to be cryptographically protected using bcrypt.

Bcrypt is an algorithm that makes cracking these passwords almost an impossible task – it was thought the process to crack the 15 million leaked Ashley Madison passwords would take decades.

Instead, almost all of them were broken in less than two weeks.

The group, which goes by the name CynoSure Prime, said they had discovered programming errors that made the passwords easier to crack. With that knowledge, it took them some 10 days to crack 11 million passwords. They’re looking to crack the remaining four million next.

“Through the two insecure methods of $logkinkey generation observed in two different functions, we were able to gain enormous speed boosts in cracking the bcrypt hashed passwords. Instead of cracking the slow bcrypt hashes directly, which is the hot topic at the moment, we took a more efficient approach and simply attacked the md5(lc($username).”::”.lc($pass)) and md5(lc($username).”::”.lc($pass).”:”.lc($email).”:73@^bhhs@&^@8@*$”) tokens instead. Having cracked the token, we simply then had to case correct it against its bcrypt counterpart,” the group said in a blog post.

“The $loginkey variable seemed to be used for automatic login, but we didn’t spend much time investigating further. It was generated upon user account creation and was re-generated when the user modified their account details including username, password and email address.”

In a report by s, it is said that in order to protect end users, the team members aren't releasing the plaintext passwords. The team members are, however, disclosing all the details others need to replicate the passcode recovery.